Antonios Atlasis, working with ERNW GmbH, reported a serious IPv6 defrag issue. This issue has been fixed in Suricata 2.0.2.
The issue was caused by a logic error in the way the defrag timeout configuration was set up. If no config was found for a specific host, there would effectively be no timeout. This led to defrag 'trackers' being cleaned up prematurely. The premature clean up of the tracker lead to Suricata failing to perform the IP reassembly.
The failed reassembly of these IP packets then leads to missing packets in TCP stream reassembly, HTTP tracking and detection. Thus, a pretty serious issue.
Solution: upgrade to 2.0.2
A work around for 2.0 and 2.0.1 is to add the following config to your yaml:
defrag: memcap: 32mb hash-size: 65536 trackers: 65535 # number of defragmented flows to follow max-frags: 65535 # number of fragments to keep (higher than trackers) prealloc: yes timeout: 60 host-config: - all: timeout: 60 address: ["0.0.0.0/0", "::/0"]
The top part is the default config in the yaml, the host-config part is the work around.
Even though it was reported as an IPv6 issue, I believe that IPv4 is also affected.
Thanks to Antonios Atlasis for reporting this issue.